RBAC roles in Xshield
Xshield features can be accessed using one of the following Role-based access control (RBAC) roles - Instance Admin, Policy Manager, Asset Manager, and Instance Observer. You must add users with One of these roles from the Users page on the ColorTokens Spectrum portal.
RBAC roles
Instance Admin
Instance Admin is a Full-access role that grants privileges to all the features on the Xshield UI. Instance Admins are the administrators for their Xshield instances.
Policy Manager
Policy Manager is a role with Full, Read-only, and Limited access to the features available on the Xshield UI. While Policy Managers can create policies, they cannot create or apply policies to the assets. See RBAC role privileges for more details about the privileges for Policy Managers.
Asset Manager
Asset Manager is a role with Scoped, Read-only, and Limited access to the features available on the Xshield UI. Asset Managers can only manage the assets in their scope; this is done by assigning the Scope tags to the user with this role when adding the user to Spectrum. Also, while an Asset Manager can create and manage Workload groups and Endpoint groups, they cannot create or manage Network groups and Domain groups. See RBAC role privileges for more details about the privileges for Asset Managers.
You can also add Asset Manager accounts without assigning any Scopes. In this case, the Asset Manager can only access untagged assets in the instance.
Instance Observer
Instance Observer is a Read-only access role in Xshield. Users with this role can see all the pages and objects in the instance but cannot perform any intrusive actions in the pages.
RBAC role privileges
In Xshield, the following types of privileges are available for RBAC roles. Privileges listed here are associated with using the features available in the left navigation panel.
| Privilege | Description |
| Full access |
All features listed in a menu in the left-navigation panel can be viewed, configured, and edited |
| Read-only access |
All features listed in a menu in the left-navigation panel can only be viewed |
| Scoped Access |
All features listed in a menu in the left-navigation panel are scoped or restricted to the Scope tags assigned to the role. So, data for the Dashboard, Visualizer, and Alerts menus is restricted to the assets with the Scope tags. |
| Limited Access |
Only some features listed in a menu in the left-navigation panel are available for use. For example, a Policy Manager can only use the Templates, and Access Parameters features in the Policies menu and the Network and Domain features in the Groups menu. |
See the following table for the privileges assigned to the RBAC roles in Xshield.
| Instance Admin |
Policy Manager |
Asset Manager |
Instance Observer |
|
| Dashboard |
Full access |
Read-only access |
Scoped access |
Read-only access |
| Alerts |
Full access |
Full access |
Scoped access |
Read-only access |
| Visualizer |
Full access |
Read-only access |
Scoped access |
Read-only access |
| Assets |
Full access |
Read-only access |
Scoped access |
Read-only access |
| Groups |
Full access |
Limited access |
Limited access |
Read-only access |
| Policies |
Full access |
Limited access |
Limited access |
Read-only access |
| Users |
Full access |
Read-only access |
Read-only access |
Read-only access |
| Reports |
Full access |
Read-only access |
Read-only access |
Read-only access |
| Settings |
Full access |
Read-only access |
Read-only access |
Read-only access |